Blogs

Will your password fail you?

A hacker can use a video card to automatically guess billions of passwords in seconds

The pace of technology is amazing. Our generation is talking about megabytes, gigabytes and terabytes, but the next generation will talk about petabytes, exabytes and zettabytes. While most people may use the extra processing power for things like converting files or quicker encoding of videos, some people will use it to try and crack your password.

If you're one of the millions of people who use the same password on more than one website, then this article is for you.

Interacting online often involves signing up to a website, which means creating a username and password. For me the list is long… I've signed up to GeoCities, Hotmail, my own domain, Myspace, eBay, several ISPs, Yahoo, Gmail, PayPal, my bank and so on. But over the course of a few years some of these sites were hacked and passwords were exposed. I thought I was clever and changed my password by adding a few characters.

These days, more and more high profile sites are being hacked and millions more passwords are being revealed. Many websites have started enforcing complex passwords that contain things like numbers, letters, symbols and one uppercase letter with no repeating characters. Before too long, remembering passwords is going to be impossible.

Good websites will either encrypt your password or turn it into hash, which is a one-way representation of the password that can't be reversed. More secure websites will combine your hashed password with a random chunk of text (known as salt). This means every time you logon to that site, your password is hashed and then compared to the same one-way hashed version of it. Hashed passwords are usually long, so it would take a human a very long time to go through all the possibilities, one by one, for a 10-character password.

The problem is that humans don't do the tedious grunt work guessing passwords - computers do. A hacker can use a video card to automatically guess billions of passwords in seconds. A hacker who's obtained a hashed password and a salt from a website can then generate billions of new hashes until they match your hashed password. The more websites you've signed up for and the more times you've used the same password, the higher the chances are that a hacker can use your password for www.lolcats.com to break into other sites.

Ideally your passwords should be over 30 characters long and should be different for every site. Changing your passwords every month is a good idea as hackers rarely use your exposed login details straight away. Consider using a software password manager to securely generate and store your passwords. A separate/long password for each site is ideal.

If you want to see how long it would take a hacker to crack your password check out https://howsecureismypassword.net

To learn how the Internet works and how you can protect yourself online check out the free Security Now podcast.

Aussie blogger Troy Hunt explains and exposes security issues.